My following answer assumes that you are fine with users being automatically disabled in ServiceNow if their account is disabled in AD.

I would check the "LDAP User Import" transform map. It has a script in there (under transform scripts) to disable users when they are disabled in AD. I believe that this is an out of the box script, but that it starts out as disabled.

The version I see in our instance has the following set:

When: On Before

Application: Global
Active: True

Order: 100

Script:

"//Deactivate LDAP-disabled users during transform based on 'userAccountControl' attribute.

//This transform script is inactive by default

//

//NOTE: User records must be visible based on the OU filter in order to be disabled

//Convert the userAccountControl attribute to a hex value

var ctrl = parseInt(source.u_useraccountcontrol, 10);

ctrl = ctrl.toString(16);

//The relevant digit is the final one

//A final hex digit value of '2' in 'ctrl' means disabled

if (ctrl.substr(-1) == "2") {

    target.active = false;

    target.locked_out = true;

    if (action == 'insert')

          ignore = true;

} else {

    //Optional: Reactivate and unlock the user account

    target.active = true;

    target.locked_out = ctrl.substr(-2, 1) == "1";

}"